Recently, a Chinese state-sponsored APT group targeted at least five online gambling firms. The adoption of ransomware tactics points to the fact that these APT groups are aiming for financial gains as these attacks don’t count as espionage targets.
Spilling the details
The attack was launched by APT27, also known as Emissary Panda. This is a Chinese state-sponsored APT group that mainly focuses on cyberespionage. However, this particular attack stands out since the group resorted to ransomware tactics, which is unexpected of it, and thus, was mainly focused on financial gains. Hence, it can be said that APT27 is not just aiming at stealing information and data, but has evolved to encompass financial motives in its attacks.
Emissary Panda is not the only one that has shifted to financial motives. The group to pave the way was APT41, which is another Chinese state-sponsored group that amalgamated cyberespionage and financial gains. It has targeted several industry verticals, including healthcare, media, pharmaceuticals, travel services, and education, among others.
Overlaps with other threat actors
- APT41 partially coincides with BARIUM and Winnti.
- Digital certificate used by Winnti has been found to overlap with multiple groups such as APT20, APT41, and APT 17, all of which are Chinese espionage groups.
- A substantial number of non-public tools leveraged by APT41 has been utilized by diverse threat actors. Source code has been spotted to coincide with HIGHNOON, HOMEUNIX, SOGU, PHOTO, and ZXSHELL, among others.
The bottom line
As of now, the reason for Chinese APT groups shifting to personal financial gains from state-sponsored cyberespionage activities is yet to be determined. APT groups have expanded their targets and capabilities, pointing to more victims over the following years.